[Libwebsockets] Convenience functions for JWTs
andrweigel at googlemail.com
Thu Mar 11 23:32:43 CET 2021
I'm using libwebsockets to create/sign and send JWTs to different
providers, which do not all expect the header fields (and are really
picky when they do not get one they expect "x5t" header or "typ" or
whatever header). There's two things I encountered and couldn't solve
1) x5t in JOSE header (base64url-encoded sha1sum of DER of certificate
used for signing); I couldn't find any way to with lws_x509_cert to
either get this fingerprint directly or to get at the DER representation
in a buffer -- for now, I just used mbedtls directly to produce what I
needed, which sadly does away with the cryptolib independence.
2) Adding header values to the JOSE header. I used lws_jwt_sign_compact
but it does not allow for the addition of any header values besides
"alg". For now, I just copied the function and replaced what I needed.
Did I miss something somewhere?
I'm ready to provide some patches to add the functionality, but I'm not
quite sure about the best approach.
For 1) I would image to either add a function directly to retrieve a
fingerprint, or offer a function to expose the DER representation as a
For 2) I thought one could add a function along the lines of
lws_jwt_sign_with_header(struct lws_context *, struct lws_jwk *, struct
lws_jose *, char *out, size_t out_len, char *temp, int tl, const char
and then using lws_jose_render to produce the JSON but then I noticed
that apart from "lws_jws_parse" there's not much to conveniently fill
that structure (again, am I missing something?). I thought abut passing
an LWS_COUNT_JOSE_HDR_ELEMENTS-long array, with values or NULL at the
corresponding indices. Finally, I thought it would probably be easiest
to just let the user pass a buffer containing the complete JSON of the
header he wants, parse it via lws_parse into a jose-struct to sanitize
the input and if ok, just copy it to the corresponding lws buffer. What
do you think?
More information about the Libwebsockets